CVE-2021-43816 Explained : Impact and Mitigation

A vulnerability in containerd allows unprivileged pods to access privileged host files on systems using SELinux, affecting versions >= 1.5.0 and < 1.5.9. Upgrading to version 1.5.9 is recommended.

Understanding CVE-2021-43816

containerd is an open-source container runtime that could allow for unauthorized access to privileged files on certain Linux systems.

What is CVE-2021-43816?

The vulnerability in containerd versions >= 1.5.0 and < 1.5.9 enables unprivileged pods to gain complete read/write access to privileged host files by using hostPath volume mounts with specific locations.

The Impact of CVE-2021-43816

The vulnerability has a CVSS base score of 8.0, indicating a high severity level. It can result in high confidentiality, integrity, and availability impacts, requiring high privileges and affecting the network's security.

Technical Details of CVE-2021-43816

This section covers specific technical aspects of the vulnerability.

Vulnerability Description

The issue arises on systems using SELinux, where unprivileged pods can bind mount hostPath volumes to access privileged files like

/etc/hosts

,

/etc/hostname

, or

/etc/resolv.conf

, potentially elevating permissions for unauthorized containers.

Affected Systems and Versions

Systems using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS
containerd versions >= 1.5.0 and < 1.5.9

Exploitation Mechanism

Unprivileged pods exploiting hostPath volume mounts on specific Linux systems

Mitigation and Prevention

Protect systems from the vulnerability and enhance security.

Immediate Steps to Take

Upgrade containerd to version 1.5.9 or later
Monitor and restrict access to sensitive system files

Long-Term Security Practices

Implement least privilege principles for container access
Regularly update and patch container runtimes and related software
Conduct security audits and vulnerability assessments

Patching and Updates

Apply patches provided by containerd to address the vulnerability